[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How to involve IP address and/or Mac address in NAT rule

Posted on 2004-10-06
1
Medium Priority
?
226 Views
Last Modified: 2010-08-05
My server (Linux redhat) is providing NAT service to my LAN using this rule

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

eth0 is my LAN card interface
eth1 is the public LAN card interface

My question is how to provide NAT service only to one LAN workstation (192.168.0.8) and involve MAC address in this rule to avoid internal hackers using that IP.

Thanks to you all !
0
Comment
Question by:diordonez
1 Comment
 
LVL 12

Accepted Solution

by:
mburdick earned 750 total points
ID: 12243929
While you can accomplish what you want easily, you should be warned that you aren't adding much security to your network.

If a user is smart enough to hard-code an IP to get access, it's likely that they can also override the MAC on their NIC as well. And, your security controls still don't stop them.

A sample of an IPTABLES rule that allows you to integrate a source MAC is:

-A FORWARD -s 172.20.20.11  -i eth0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
0

Featured Post

The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Suggested Courses
Course of the Month8 days, 23 hours left to enroll

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question